Integration

Get Involved. Join the Conversation.

Topic

    Tarun
    OIC Connectivity with EBS onprem failing
    Topic posted April 3, 2018 by Tarun Red Ribbon: 250+ Points, last edited April 8, 2018 by Arijit ChakrabortyBronze Trophy: 5,000+ Points, tagged E-Business Suite, Integration 
    473 Views, 14 Comments
    Title:
    OIC Connectivity with EBS onprem failing
    Summary:
    OIC Connectivity with EBS onprem failing
    Content:

    Hello Experts,

     

    We have installed on-prem agent on EBS server and agent is up and running.

    From OIC we created a new connection by providing all the details like EBS server URL/security with basic authentication/etc but when we test using the test link we get the below exception

     

    [SRC Class: oracle.cloud.cpi.agent.transport.AQConsumer; Method: run] Error

    occurred while polling new messages. Sleeping for 30 seconds

    com.sun.jersey.api.client.ClientHandlerException:

    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No

    name matching oicdev-xxxx.aucom-east-1.oraclecloud.com found at

    com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnect

    ionClientHandler.java:155) at

    com.sun.jersey.api.client.Client.handle(Client.java:652) at

    com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) at

    com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at

    com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:509) at

    oracle.cloud.cpi.agent.transport.AQConsumer.run(AQConsumer.java:87) at

    java.lang.Thread.run(Thread.java:748) Caused by:

    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No

    name matching oicdev-te4b.aucom-east-1.oraclecloud.com found at

    sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at

    sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at

    sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at

    sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at

    sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)

    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at

    sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at

    sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at

    sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at

    sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at

    sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at

    sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDe

    legateHttpsURLConnection.java:185) at

    sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.ja

    va:1564) at

    sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.jav

    a:1492) at

    java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) at

    sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnec

    tionImpl.java:347) at

    com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnec

    tionClientHandler.java:253) at

    com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnect

    ionClientHandler.java:153)

     

    Any pointers on this will help us alot in resolving this issue.

     

    Thanks

    Tarun

    Comment

     

    • Tarun

      Thanks Hemanth/Kishore,

      How to we make sure the agent is installed correctly? . I can see the agent with green running symbol on OIC so is there any means i can see the agent is up and running fine. And also when i start agent i can see the below messages

      -bash-4.1$ java -jar connectivityagent.jar

      Existing Agent installation found... Starting Agent for message processing.

      Enter your OIC username : tarun@***.com

      Enter password for tarun@***.com :

      Checking for already running instances of this agent. This might take upto 15 seconds ...

      Initializing the credential store ...

      Agent started successfully... listening for new messages...

      Apart from that in the logs folder of agenthome directory i see the SSLHandshake exception.

      Let me know if you need any more details so that I can send or try it out.

      Thanks

      Tarun

    • Nagireddy Tadi

      hi Tarun,

      Seems there is an issue with the OIC certificate that got imported in agent during installation. Is this issue started recently or you are seeing this issue right from agent installation completed?

      Can you download OIC certificate and try manually import into agent using following command and try to test the connection?

      keytool -import -trustcacerts -alias oiccert1 -file <OICCertificatepath> -keystore <AGENTINSTALLDIR>agenthome/agent/cert/keystore.jks -storepass changeit

      Please make sure you restart agent after certificate import.

    • Tarun

      Thanks alot I will try this and let you know.

      This step is missing when I installed the agent.

    • Tarun

      Hemanth,

      Still I get the same error even after importing the OIC certificate by using the below command

      keytool -import -trustcacerts -alias oiccert1 -file /home/oraerp/agent/-aucom-east-1oraclecloudcom.crt -keystore /home/oraerp/agent/agenthome/agent/cert/keystore.jks -storepass changeit

      Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching oicdev-te4b.aucom-east-1.oraclecloud.com found

              at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

              at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)

              at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)

              at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)

              at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)

              at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

              at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)

              at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)

              at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

              at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

              at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)

              at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)

              at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

              at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)

              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)

              at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)

              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:347)

              at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:253)

              at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153)

              ... 6 more

      Caused by: java.security.cert.CertificateException: No name matching oicdev-xxxx.aucom-east-1.oraclecloud.com found

              at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)

              at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)

              at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)

              at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)

              at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)

              at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

              at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

              ... 21 more

      Thanks

      Tarun

    • Tarun

      Hi Nagireddy/All,

      Still I get the same error but i think the error message "no matching hostname"  is picking from hosts file

      Hosts File:

      x.x.x.x   OICDev-***.aucom-east-1.oraclecloud.com

      where x.x.x.x is the ipaddress of OIC and OICDev-***.aucom-east-1.oraclecloud.com  is the URL of OIC.

      Let me know if this is correct or do i need to change anything from host file.

      Error:

      Method: run] Error occurred while polling new messages. Sleeping for 30 seconds com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching oicdev-***.aucom-east-1.oraclecloud.com found

      Thanks

      Tarun.

    • Hemanth Lakkaraju

      Looks like problem with agent installation. Can you paste the agent installation logs?

    • Kishore Gollapalli

      Appears like a certificate issue , can you import the certificate and test the connection. Also, make sure agent is installed correctly and ssl is setup correctly.

      javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No

    • Kishore Gollapalli

      Also,from the below message it appears like its unable to reach ICS.

      name matching oicdev-xxxx.aucom-east-1.oraclecloud.com found at

    • Nagireddy Tadi

      hi Tarun,

      Seems the OIC certificate is self signed certificate.  For CA signed certificate we don't see this issue.

      As per your earlier post you have one other agent installed with EBS_AGENT agent group in the same OIC.  Is agent runtime working with that agent?

    • Tarun

      Thanks Nagireddy,

      We have now made the EBS URL https by applying SSL certificate and able to download and export that certificate into OIC.

      But still the same exception i tried restarting the agent again.

      So two questions

      1) IN the host file of EBS server we are mentioning the OIC URL which is same as that mentioned during the Agent installtion as below

           x.x.x.x OICDev-***.aucom-east-1.oraclecloud.com  hostname (Host name of OIC server)

      Is the above information of adding the host file is correct.

      2) From the EBS the EBS url ( https://***.com:443 ) is accessible only from VPN and this Url we are mentioning in the OIC connectivity step.. so just wanted to ask this URL of EBS is currently accessible only within VPN and not outside public so is this causing issue of not connecting with OIC server.

      Thanks

      Tarun

    • Tarun

      Hi Hemanth,

      From ICS certificate the CN I see is *.aucom-east-1.oraclecloud.com and also from the EBS where agent is installed there also I can find the CN in the keystore.jks file is present as below

      Alias name: oicebscert

      Creation date: Apr 3, 2018

      Entry type: trustedCertEntry

      Owner: CN=*.aucom-east-1.oraclecloud.com,

      Also imported the certificate of EBS server https://ebsserver:port certificate into ICS certificate but  still the error remains same

      Caused by: java.security.cert.CertificateException: No name matching ***-***.aucom-east-1.oraclecloud.com found

              at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)

              at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)

              at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)

              at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)

              at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)

      SO not sure..

      But just wanted to know the EBS URL is https with default port but can be accessed only through VPN and not outside..

      And during our test from OIC connectivity we provide this URL and test where it fails..with the error

      Unable to test connection "TE4B". [Cause: CASDK-0005]

      • CA SDK-0005 : A connector specific exception was raised by the application.
      • No response received within response time out window of 120 seconds. Agent may not be running, or temporarily facing connectivity issues to Oracle Integration Cloud Service. Please check the health of the Agent in Agent Monitoring page.

      Note: This is OIC trial instance so is there any limitation with trial version?.

      Thanks

      Tarun

    • Tarun

      Yes you are right but this OIC with wild character  is from oracle cloud  only and discrete host name is the URL of ICS  which i have taken from the ICS home page which I have configured the same in the host file of EBS server.

      Thanks

      Tarun

    • Hemanth Lakkaraju

      What is the CN of the ICS Certificate you see? Using keytool you can list out the certificates imported in Connectivity Agent JKS store and see if ICS Certificate is uploaded correctly or not.

    • Hemanth Lakkaraju

      Looks like there is a mismatch of CN and hence failure. The actual certificate CN is using a wild card while the error suggests a discrete host name - Am I correct?